SSN Exception Requests

According to Security Control RA-2 - Security Categorization, information systems at Texas A&M are not allowed to store Social Security Numbers (SSNs). If an information system has a compelling business need to store SSNs, the information owner needs to submit an exception request.

To submit an exception request, email with the following information:

  • Business and technical contacts
  • Name of the information system (information systems can include multiple machines)
  • DNS name of each machine in the system
  • Business purpose for storing SSNs (e.g., State, Federal, Texas A&M regulations specifically require it)
  • Mitigation against data loss (e.g., encryption)
    • Provide technical details, including encryption method and algorithm strength, if applicable.
  • Data life cycle
    • How do you receive the data?
    • What do you with the data while you have it?
    • How and when do you dispose of the data?
  • Backups
    • What process is used to back up data?
    • What type of backup media is used and, if removable, how is media stored?
    • Are backups encrypted?

If you have questions, email